Post navigation

Toni, one of the members of the Sophos Facebook page, just got in touch with me asking if I’d seen the latest scam spreading virally across the social network.

Users are seeing messages posted by their online friends about teen popstar Miley Cyrus. They look like the following:

SICK! I lost all respect for Miley Cyrus when I saw this photo

We have seen a number of different URLs being used in the messages, but they all redirect to a page which shows a traffic sign-like image of the word “respect” crossed out in red.

The page also says “SICK! I lost all respect for Miley Cyrus when I saw this photo” followed by a large flashing graphical button labelled “CLICK HERE” under the message “Please click here, then ALLOW to see the photo.”

Regular readers of Naked Security like Toni will already be smelling something fishy at this point, but there will inevitably be some Facebook users who will feel compelled to explore further.

I’ll save you the trouble of risking your Facebook account, by explaining what happens next.

If you do click on the “CLICK HERE” button you will be taken to a standard Facebook application permissions dialog, which asks for you to approve the third-party app to access your personal data, send you emails, post status messages and pictures to your wall.

It’s hard to believe that people would allow this to happen, but if you’re desperate to see a picture of Miley Cyrus which will make you lose all respect for her (the mind boggles..) then you may well click further on.

Unfortunately continuing is a mistake, as you will be lead directly to a CPALead survey, which earns the scammers money every time one of their dumb questionnaires is answered.

The scammers only need a few people to complete their survey to make it financially worthwhile to build rogue applications like this – that’s why there are so many of them. If only Facebook took a tougher line about the applications it allowed on its network.

If you’ve been hit by a scam like this, remove references to it from your newsfeed, and revoke the right of rogue applications to access your profile via Account/ Privacy Settings/ Applications and Websites.

Here’s a quick YouTube video where I show you how to clean-up your Facebook account from such an attack:

Me neither. I would never allow any app to post on my page but now I have it in my "likes" and can't get rid of it because it says my connection failed for about a million times. Strangely I can remove every other item without a problem.

I've got this now, but I can't remove it! It seems to be hidden when I go to edit profile, and if I try to delete it from my wall the delete button is disabled… This is a sneaky, sneaky facebook virus!

Why would anyone ever hit the accept button to any app? It tells you that you are "giving them access to your information at any time, allowing them to email you, and post on your wall…" Wake up people! Why are you just giving this information to whatever company owns the app? The apps are useless anyways.

I have a video of Miley Cirus doing oral sex with someone. And it was sent to a lot of my friends. I didn't click on anything or even been on my account for a few days. How do I remove it from everyone's page?????